Adaptation is the Best Practice – Leveraging Application Control in the Days of Video Conferencing

Adi Ikan, Network Research & Protection Group Manager

Oren Koren, Senior Cyber Security Product Manager

A major result of the current COVID-19 pandemic is the significant increase in the use of video conferencing applications. Applications like Zoom, BlueJeans, and Microsoft Teams have become critical to our ability to communicate effectively, both for work continuity, and for keeping up with friends and family in these days of social distancing and sheltering in place. Consequently, the need for good visibility and security for these applications is more relevant than ever. In this blog, we share how to leverage the unique security capabilities of Check Point Application Control (APCL) to provide better visibility and security for your organization and your employees.

Check Point Application Control provides the industry’s strongest application security and identity control to organizations of all sizes. Integrated into the Check Point Infinity Architecture, Application Control enables IT teams to easily create granular policies based on users or groups—to identify, block or limit usage of applications and widgets. Applications are classified into categories, based on diverse criteria such as applications’ type, security risk level, resource usage, productivity implications and more.

In Application Control, the video conference apps detection is focused on 4 major components: Basic Discovery (App Identification & Monitoring), File Transfer (Uploads & Downloads), Remote Control and Desktop Sharing. In this blog, we demonstrate how to leverage these for network traffic visibility, and preventing attacks and data exfiltration.

Network Traffic Visibility

Application Control policy granularity allows you to not only discover and inspect the applications used, but also expose actual user actions during the video conference session. By enabling the ‘Accounting’ feature on an application control rule, you get full visibility of your users’ actions as well as the traffic usage.

Best practice:

Download the report template to review and report on video conference application usage.

Discover the most commonly used video conference apps by reviewing the top-used applications and sub-categories per application.

Expose potential challenges by reviewing the actions taken by your policy, and focusing on Accepted versus Dropped traffic.

Discover top users (source IP’s) in your organization using web conference applications. Identify potential challenges based on the amount of traffic and how it may impact the infrastructure.

Below is a sample report showing a significant amount of traffic from two users using Zoom and Microsoft Teams, broken down further to identify Zoom, Zoom Remote Control, Microsoft Teams, Microsoft Teams Remote Control and Sharing, and Zoom Meeting. In this example, according to the policy configured, regular Zoom traffic is allowed while the Zoom-remote-control action is blocked.

Preventing Potential Attacks Scenarios

An attacker can leverage the ability to share files in video conference applications by uploading malicious content into public rooms, potentially infecting endpoints and mobile devices. The following chart represents a potential scenario for this type of attack.

avoid this attack vector, Application Control policy granularity allows you to block file upload/download. For Check Point customers, who are using SandBlast Agent and SandBlast Mobile to secure their endpoints, Application control can also protect the host system from being compromised.

Best practice:

Go to your Access Policy and create a Drop rule for the application name with the action of download.

Data Exfiltration

In many organizations, file sharing applications are restricted to prevent the unauthorized sharing or loss of sensitive data like source code, customer or employee PII, confidential documents etc. Video conference applications can be used to infiltrate data from the organization, without the owners’ knowledge.

Application Control can monitor the upload/download actions for video conferencing apps, identifying and detecting actions that may lead to a potential loss of sensitive data.

Open the following report and review the uploaded data per user (source IP’s) stats. Focus on the users\source IP’s that are owners of sensitive data and show large upload traffic patterns.

Go to your Access Policy and restrict the users from uploading data in video conference applications.

Remote Control Enforcement

In many organizations, unauthorized Remote Desktop connections / applications are restricted, especially when coming from outside the organization. By allowing remote control functionality in video conference applications, you might be exposing users / hosts to attacks. An example of this is a phishing attack that can lead a user to enter a fake conference room and allow an attacker to remotely control his desktop.

To expose the remote control actions taken by the user, Application Control inspects remote connections that are part of the video conference sessions.

Figure 4 – Remote Control report page representing the used Web Conference applications divided into top sources and actions enforced by Application Control policy

Best Practice:

Open the report and review the top users (source IP’s) with remote control activity and a large volume of traffic. Focus on users who may fit high-risk profiles, such as executives or employees who have access to sensitive data.

Summary

The increased reliance and usage of video conferencing apps in the world today requires security teams to understand possible threats and adapt their security policy accordingly. Check Point Application Control has unique detection capabilities that provide better visibility of usage patterns and can secure employees and hosts from attackers trying to take advantage of what has become our new normal.